INetSim

Introduction

INetSim is a software suite for simulating common internet services in a lab environment, e.g. for analyzing the network behaviour of unknown malware samples. It offers support for DNS, HTTP, FTP, SMTP, among others.

Here is a great blog post on setting up InetSim for your lab environment:

Malware Analysis: First Steps — Creating your labMedium

Simulating Network Traffic

Configure INetSim

$ sudo vi /etc/inetsim/inetsim.conf

The below need to be uncommented and specified.

service_bind_address <Our machine's/VM's TUN IP>
dns_default_ip <Our machine's/VM's TUN IP>
dns_default_hostname www
dns_default_domainname iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com

Initialize INetSim

$ sudo inetsim 
INetSim 1.3.2 (2020-05-19) by Matthias Eckert & Thomas Hungenberg
Using log directory:      /var/log/inetsim/
Using data directory:     /var/lib/inetsim/
Using report directory:   /var/log/inetsim/report/
Using configuration file: /etc/inetsim/inetsim.conf
Parsing configuration file.
Configuration file parsed successfully.
=== INetSim main process started (PID 34711) ===
Session ID:     34711
Listening on:   0.0.0.0
Real Date/Time: 2023-06-11 00:18:44
Fake Date/Time: 2023-06-11 00:18:44 (Delta: 0 seconds)
 Forking services...
  * dns_53_tcp_udp - started (PID 34715)
  * smtps_465_tcp - started (PID 34719)
  * pop3_110_tcp - started (PID 34720)
  * smtp_25_tcp - started (PID 34718)
  * http_80_tcp - started (PID 34716)
  * ftp_21_tcp - started (PID 34722)
  * https_443_tcp - started (PID 34717)
  * pop3s_995_tcp - started (PID 34721)
  * ftps_990_tcp - started (PID 34723)
 done.
Simulation running.

Configure Windows Pwnbox

On the Windows host go to Settings -> Network -> Change adapter options -> Select adapter & click Properties.

Click "Internet Protocol Version 4 (TCP/IP) -> "Properties"

Input the IP of our box InetSim is running on:

PreviousNetwork Traffic Analysis NextStatic Analysis

Last updated 8 months ago